b'imp   Office of Audits\n      Office of Inspector General\n      U.S. General Services Administration\n\n\n\n\n      IMPLEMENTATION REVIEW OF CORRECTIVE ACTION PLAN\n\n      Audit of PBS\xe2\x80\x99s Controls Over\n      Security of Building Information\n      Report Number A070216/P/R/R08005\n      Dated September 30, 2008\n      Assignment Number A120079\n      May 3, 2012\n\x0c               Office of Audits\n               Office of Inspector General\n               U.S. General Services Administration\n\n\n DATE:            May 3, 2012\n\n TO:              Linda Chero\n                  Acting Commissioner, Public Buildings Service (P)\n FROM:            Susan P. Hall signed by Susan P. Hall\n                  Audit Manager, Real Property Audit Office (JA-R)\n SUBJECT:         Implementation Review of Corrective Action Plan\n                  Audit Of PBS\xe2\x80\x99s Controls Over Security of Building Information\n                  Report Number A070216/P/R/R08005, Dated September 30, 2008\n\n                  Assignment Number A120079\n\n\nWe have completed an implementation review of the management actions taken in\nresponse to the three recommendations contained in the subject audit report. We found\nthat the Public Buildings Service\xe2\x80\x99s (PBS) revised corrective action plan, dated July 15,\n2009 (see Appendix B) addressed the audit recommendations. However, during our\nreview we identified a related issue we would like to bring to your attention.\n\nOther Issue\n\nOne PBS action addressing Recommendation 3 was to \xe2\x80\x9cDevelop guidance for regional\nPBS acquisition program review, which requires verification of 3490.1A clause in\ncontracts that contain or create SBU building information.\xe2\x80\x9d Essentially, this action would\nrequire reviews to ensure that contracts include a clause compelling contractors to\nsecure sensitive information related to buildings.\n\nWhile the guidance has been developed and issued, as part of our testing, we\nrequested the results of the program reviews to verify that applicable contracts did, in\nfact, contain the required clauses. This is especially important since our initial review\ndisclosed that PBS contracting officers were inconsistently implementing the detailed\nPBS policy issued to safeguard sensitive building information. PBS was unable to\nprovide these results and a PBS official indicated the reviews were not being performed.\n\n\n\n\n                                            1\n\x0cScope and Methodology\n\nTo accomplish this implementation review we: (1) examined the documentation\nsubmitted by PBS which supported accomplishment of the action plan steps; (2)\nperformed limited testing of the implementation of the guidance contained in these\nsupporting documents; and (3) met and corresponded with PBS personnel.\n\nIf you have any questions regarding this report, please contact me or any member of\nthe audit team at the following:\n\n      Susan Hall             Audit Manager       susan.hall@gsaig.gov     (202)501-2073\n      Felicia Silver         Auditor-In-Charge   felicia.silver@gsaig.gov (202)501-1360\n\nOn behalf of the audit team, I would like to thank you and your staff for your assistance\nduring this review.\n\n\n\n\n                                           2\n\x0cAppendix A \xe2\x80\x93 Recommendations from Report Number\nA070216/P/R/R08005\n                                                     Assignment Number A120079\n\n\nWe recommend that the PBS Commissioner:\n\n  1. Incorporate PBS 3490.1 requirements directly into the boilerplate Solicitation for\n     Offers and contracts for A/Es, construction, and lease construction contracts.\n\n        a. Require contractors to include PBS 3490.1 requirements in their\n           subcontracts.\n\n        b. Develop a course of action to be taken when contractors do not fulfill their\n           contractual obligations regarding the protection of SBU information.\n\n  2. Ensure PBS officials are provided training on the PBS 3490.1. The training\n     should include encryption software applications available to PBS project\n     personnel.\n\n  3. Implement a system of controls to ensure that PBS 3490.1 requirements are\n     being followed by PBS project teams.\n\n\n\n\n                                         A-1\n\x0cAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Corrective Action Plan\n                                                          Assignment Number A120079\n\nPUBLIC BUILDINGS SERVICE REVISED ACTION PLAN\n\nCONTROLS OVER SECURITY OF BUILDING INFORMATION\n\n\n\nDesignated Responding Official: Diane L. Herdt, PBS CIO                Revised as of 7-15-09\n\nContact Person: Wayne Smedley                                          Completion Date\n\nTelephone Number: 202-501-9135                                         September 30, 2009\n\nDate: 07/15/2009\n\n\n\n\n                                          B-1\n\x0cAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Corrective Action Plan (cont.)\n                                    Assignment Number A120079\n\n\n\n\n                         B-2\n\x0cAppendix C \xe2\x80\x93 Report Distribution\n                                                        Assignment Number A120079\n\nActing Commissioner, Public Buildings Service (P)\n\nRegional Administrator, National Capital Region (NCR)\n\nRegional Administrator, Southeast Sunbelt Region (4A)\n\nRegional Administrator, Greater Southwest Region (7A)\n\nActing Regional Inspector General for Auditing (JA-4, JA-7)\n\nSpecial Agent in Charge (JI-W, JI-4, JI-7)\n\nOffice of Inspector General (J)\n\nAssistant Inspector General for Auditing (JA, JAO)\n\nAssistant Inspector General for Investigations (JI)\n\nOffice of the Chief Financial Officer (B)\n\nDivision Director, GAO/IG Audit Response Division (H1C)\n\n\n\n\n                                            C-1\n\x0c'